Smartphone vendors might be learning to mistrust software, but what about the hardware? University of Michigan boffins have put this question to the world by sending unauthorised data to a Samsung turns-out-to-be-not-so-smartphone by buzzing its accelerometer.
The problem highlighted in this paper is that systems “blindly …

Re: Hang on a mo...

The whole thing has been misunderstood by El Reg, what they are doing is controlling the accelerometer's output by using sound. So if you have software which is using the accelerometer's output like a fitness tracker or pedometer app then you can spoof the amount of exercise you are getting.

Re: Hang on a mo...

So if you have software which is using the accelerometer's output like a fitness tracker or pedometer app then you can spoof the amount of exercise you are getting.

I just put mine on a washing machine with an unbalanced load, and apparently I've been walking hundreds of miles per day. I suspect though that sooner or later the people at the corporate "wellness" program are going to notice.

Re: Hang on a mo...

Re: Hang on a mo...

You're right. Read the report (PDF linked in the article) and you'll find they merely* managed to get the accelerometer to output a g-graph with a curve that vaguely resembled the word "WALNUT". There was no takeover or execution of injected code. Just manipulation of accelerometer output.

* Fair play, there was a lot of difficult maths and clever fine tuning to find resonant frequencies of the accelerometers involved.

Re: Hang on a mo...

As spun it's a bit of a bollocks story.

Yes you can spoof the sensor readings if you want to.

No the isn't any route to using this as an injection vector.

It's an interesting POC but nothing more and a bit of analysis on the sensor data would probably detect it if you had an application where something like this mattered. Especially if cross referenced with other inputs like any sensible sensor user does.

Re: Hang on a mo...

Also, the first video seems designed to give the impression that an injected sound caused a video to be played, according to the experimenters choice. The implication is that they can make your phone show what they want you to watch.

The entire story has been hyped up by these experimenters to give themselved coverage and publicity. The Register seems to have gone along with this.

Re: Hang on a mo...

Hmm, yes.

An admittedly brief look at the ADXL345 datasheet (one of the parts they tested) indicates that the bandwidth and rate can be slected basically anywhere between 0.05Hz and 1600Hz in steps (with data rates at twice those). The diagrams indicate a digital low pass filter *after* the ADC but nothing before it.

And before the ADC is where you need an anti-aliasing filter because once alias noise is in the system there is precisely nothing you can do about it... oops!

Re: Night-clubs

Given the description of a controlled aliased signal

Given the description of a controlled aliased signal, doing the ADC sampling properly would have avoided the problem in the first place (anti-alias analogue prefilter in hardware; over-sampled DAC, digital downsampling filter; downsample). I'm going to guess that was too much bother for the manufacturers.

Re: Given the description of a controlled aliased signal

Wow... so it could be possible to spike an mp3, play it in a car, and freak out its accelerometers to pop the air bags? Turn up the volume to trick Onstar into thinking the car next to you had a wreck? Screw with the orientations of a room full of tablets? Such possibilities...

I frequently "blindly" trust the input from my eyes.

In the interests of cross-refererencing and sampling accuracy I never trust my visual input without a tactile record as well, a perfectly reasonable and scientific approach.

This will form the crux of my defence as to exactly what I was doing on the 7.06 into Liverpool Street last month. I did attempt to explain everything to the ticket inspector in question, and indeed to the two gentlemen from the transport police who met me at my destination, and the rather young and excitable Standard reporter afterwards, but none of them were people of science and my explanation was simply pooh-poohed.

This, I truly feel, reflects far more badly on today's educational system than it does on any alleged positioning of my hands.

In other news

This is a non-story being hyped by the press, and what's worse the Reg totally misunderstood it! The word 'WALNUT' is displayed on an app reading sensor output, which while cute is no more of an attack vector on a smartphone than making an old style 5.25" floppy drive "sing" was.

Worst case, someone will be able to add steps to your Fitbit, making you think you walked more steps than you actually did. Oh, the horror! If we get better MEMS that are properly capable of doing dead rereckoning, this technique could be used to confuse it and perhaps get someone a bit lost. However, the "loud, random noise" being blared at you to cause this would probably make you want to move away from it long before that could happen.

Johnson

Daily Mail version - with same amount of useful content as this article

Music Makes Phones EXPLODE!

* ILLEGAL IMMIGRANTS are using this life hack to reduce house prices in YOUR area.

* Playing music at the phone in your POCKET gives you CANCER.

* Rock a hot dress like our all grown up model at Femail Fashion Finder.

* Samsung and Apple CONTINUE to sell these DANGEROUS phones NEAR YOU.

* MPs do nothing.

<...picture of young woman holding phone and laughing...>

Comments 92,285

KeepEmOut - Milton Keynes

"I saw an immigrant fella once. He was on benefits, taking our jobs and eating our children. Then, while he was fitting a new kitchen for the missus, I put Ed Sheeran on, his phone exploded and my house price fell by 50 big ones. Scum. Trump is right."